Researchers at Black Hat 2010 and DefCon 18 demonstrated how to circumvent security restrictions intended to prevent malicious PowerShell scripts from doing harm.  The researchers say antiVirus, host intrusion prevention system (HIPS), as well as software restriction policies (SRP) built into Windows Group Policies, and other advanced security software products cannot protect computers from these attacks.  AppGuard protects Windows computers from these sophisticated zero day attacks.

What is PowerShell?

PowerShell is Microsoft’s task automation framework, consisting of a command-line shell and associated scripting language built on top of, and integrated with, the .NET Framework.  It is extremely powerful; hence it is aptly named.  Thus, if a malicious PowerShell script is allowed to run, it can do extreme harm.

What Windows Operating Systems Are Affected by this Vulnerability?

Microsoft released PowerShell v2.0 in August 2009.  It is an integral part of Windows 7 and Windows Server 2008 R2. Versions of PowerShell for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 were released in October 2009 and are available for download for both 32-bit and 64-bit platforms.

PowerShell Vulnerability Enables Attackers to Elude Built-in Security Restrictions

Endowing it with so much power, Microsoft wisely designed it with execution policies to prevent malicious PowerShell based attacks.  By default, execution policies are set by default to “restricted”.  Except for some specific commands, this prevents non-local PowerShell scripts from running.  A more restrictive policy called  “AllSigned” allows only signed scripts to be executed.  They must be from a trusted publisher.  A less restrictive policy called “RemoteSigned” allows signed scripts as well as local ones (i.e., already on the PC).

The crux of the researcher’s work is that these restriction mechanisms can be circumvented.  He presented and demonstrated his findings at the Black Hat and DefCon 2010 conferences.  He’s also released MetaSploit modules.  Cyber criminals are undoubtedly developing and distributing malicious PowerShell based malware attacks that researchers say cannot be stopped by antivirus, HIPS, SRP, or just about any other security software product that you may have on your computer.  Further, the researcher and cyber criminals are working on using PowerShell for process/code injection attacks, which make them even more elusive to security software.

As for security appliances/servers defeating such attacks, they’ll only stop those for which a virus signature already exists.  And as altering attack code signatures is trivial, forget it!

The obvious workaround is to remove PowerShell.exe from computers.  However, this cannot be done for Windows 7 because it is embedded in the operating system.

Expected Attack Vectors

For the most part, PowerShell attacks will piggy-back atop other vulnerabilities that are used to deliver the PowerShell payload.  For example, a vulnerability in Adobe Reader, Internet Explorer, or any other software application on a PC with a vulnerability that enables an attacker to drop a downloader into user-space.  Or, in sophisticated attacks on high value targets, the attacked software application itself is used to execute the PowerShell attack.  This means the following vectors deliver the attack (ordered according to most likely vector):

• Visit a malicious/compromised website
• Open an spiked email attachment seemingly from someone you know
• Insert an infected USB thumbdrive
• Open a document, seemingly from someone you know, with an embedded PowerShell script
• Mount a network drive with an aut0-run attack
• View a network drive, USB drive, or hard drive with a Windows LNK vulnerability exploit (patch issued by Microsoft 3 August 2010, except for Windows 2000 and Win XP SP2)

AppGuard Protects Computers from PowerShell Worm/Trojan Malware

AppGuard has always been capable of defeating PowerShell attacks.  To improve ease of use, the recently released beta of AppGuard (version 2.0.6) blocks PowerShell script (.pn1) launches from user-space by default.  This blocks the most common vector (vast majority) for PowerShell based attacks.

AppGuard Enterprise administrators and as well as AppGuard users can increase protection even more by adding powershell.exe to the ‘guard list’.  Doing so blocks a less commonly used vector whereby an application such as Adobe Reader, Internet Explorer, or others are coerced by an attack to execute a PowerShell script.  This method tends to only be employed by sophisticated attackers on high value targets such as large corporations or government organizations.

As for when the code injection variants of PowerShell attacks strike, the MemoryGuard protection feature of AppGuard blocks them even if all other protection features are disabled.

Beta Participants Get Free Lifetime License for AppGuard Zero Day Protection

Posted: Wednesday, August 4th, 2010 - Endpoint Security
RSS 2.0 - Comment - Trackback